Hi,

First off, please excuse the naivety of this question, but pen test isn't an area of expertise. However, my question is, are you aware of any free tools (ideally that dont need installing on a system - so command prompt applications) whereby I need to check a list of domain usernames against a list of 3 passwords to get some of the report of any accounts whose password is one of my list of 3.

I know you can dump hashes from domain controllers with pwdump etc and check them offline with tools like Cain and Ophcrack but I dont really want to do that as the scope is to just test a pre-defined set of accounts, not the capacity to check every account.

Any free little command line tools that can help and I can download for free would be excellent.

Wow, it's difficult to follow that up with a response that doesn't make you look like a noob...

I was just going to say, since you're only checking three passwords, it might be easiest to perform an online SMB-based attack using something like Hydra or Medusa. The performance gains of dumping the hashes and running an offline attack would probably be negligible with so few passwords.

You could run that from a Linux VM and not be required to install anything anywhere in a host system. You would have to be careful about account lockout though. If you're using the common threshold of three invalid login attempts, either bump that up a bit or space out the guesses a little.

If you only have three tries, trim this list down:

password
Password1
Companyname1
Currentmonth2013 (or 2012)
Currentseason2013 (or 2012)